Don’t Like The Game? Change The Rules — A Look Into Modern Platform Strategy

Clayton Christensen recently tweeted that “any strategy is (at best) only temporarily correct.” The paradox behind this statement is that great managers hyper-optimize their business lines for profit only to see new entrants come in to take all the money off the table. This type of perfect competition can shoot a company off the edge of a cliff.

Creative disruption a la Apple and Amazon is the answer, but little is discussed of startups catapulting their own successes into new markets. We usually only hear of the overnight success stories like Facebook. But with technology change reaching tornado speed and the pathway from David to Goliath longer than ever, change is important for startups to embrace early and often. For entrepreneurs eager to endure in the competitive and complicated markets of enterprise software, I’d like to offer up an anecdote of our portfolio company vArmour evolving its platform strategy for a new sprint at competitive advantage in the security software industry.

For brief context, vArmour develops a platform for securing cloud and data center applications. After identifying a killer use case in microsegmentation and embedding its “fabric” into customer environments, it leveraged the multiplier effects of highly distributed security architecture to expand into new product categories with the goal of more holistically addressing (and becoming synonymous with) cloud security.

But as the market evolves and the stakes get bigger, things are getting competitive along the very dimensions that propelled vArmour into an early market leadership position:

• Illumio, Guardicore, and CloudPassage bring application visibility with a host-based instrument.
• VMware and Cisco offer layer 4 microsegmentation to conservative customers willing to sacrifice depth of application security for the comfort of a trusted vendor.
• Palo Alto Networks and Checkpoint virtualize their application-aware firewalls to compete on the portability dimension of vArmour’s value proposition.
• Open source networking security is becoming all the rage in the cloud native community with projects like CoreOS Flannel and Tigera Calico bringing existential risk to the entire commercial landscape.
• New startups with increments of new introspection at the container and code layer like Twistlock, Acqua Security, and Signal Sciences may morph into competition.

The paradox is that with the rapid shift to cloud native architectures where infrastructure is code, applications are increasingly agnostic of the very networks that serve them. It’s about applications, not the infrastructure.

And so vArmour is shifting its narrative from the network to the application layer with the introduction of Policy Architect (PA) — a new type of unified, cross-platform policy control panel. In many ways, this move is characteristic of the company’s core mantra of openness and API-based extensibility. PA integrates seamlessly with any source for network flow and workload meta data. By decoupling policy enforcement from underlying introspection mechanisms, it casts a wider net of application intelligence than any integrated segmentation/policy engine solution. Hence, it creates a dynamic System of Intelligence shifting the conversation in cloud security up the stack.

How defensible is Policy Architect? As a System of Intelligence, it creates process-based advantage through the perfect portmanteau of data, algorithms, domain expertise, and data-driven product design:

• Data: Application metadata is captured across all systems of record, not just one. Cisco, VMware, Palo Alto, and the host-based cloud infrastructure security vendors (Illumio, Guardicore, CloudPassage) are limited by their install bases and thus cannot compete on the dimension of data.
• AI: Machine learning algorithms better automate policy creation when there is a plethora of information on application traffic flows to reference and train on. Thus the more traffic flow data, the more accurate the machine learning algorithms will suggest and execute on policy creation. The open platform architecture of PA allows for more data feeds to fuel the algorithm training lifecycle.
• Domain expertise: Autonomous policy management is a goal that can only be reached if domain expertise is embedded in the AI training feedback loop. For non-trivial scenarios and niche applications where the policy engine spits out a dependency mapping that fails to meet a threshold level of confidence, the onus is on the security analyst to make the specifications. These dependency mappings are then fed back into the System of Intelligence so it may do a better job at suggesting a dependency mapping the next time an application is updated.
• Data-driven product design: Turning intelligence into action anchors product design. The PA interface abstracts details away so a security analyst can take next-best action. This makes the “work” lightweight and business-oriented. And the presence of large amount of corroborating information makes it easy for the security analyst to effect policies that are secure and safe from business-impacting error.

As Systems of Intelligence set their mark in the cloud security market, microsegmentation is relegated to “plumbing” and the strategic control point in the industry moves “up the stack” to policy creation. With this shift, the rules of the game move from superior methods of introspection to scale and quality of data to fuel AI-powered automation.

Systems of Intelligence are the perfect recipes to forge sustainable competitive advantage as AI infiltrates every corner of the enterprise software industry. Only time will tell if vArmour’s asymmetric approach of promoting policies to boost its core fabric business proves fruitful. If so, it will be a lesson learned on how Systems of Intelligence can change the rules of the game and create unfair advantage.

Disclaimer: vArmour is a Work-Bench Ventures portfolio company.

This post first appeared on Work-Bench’s blog on June 15, 2017.